Fix a bug in host matching where a negated sudoHost entry would

prevent other sudoHosts following it from matching.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 35830dc1efe276613bdbb2683bfe55575431c1cc..b1d1116f96be69bc01a01355d108ce2792e2c2fc 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -722,20 +722,21 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
 {
     struct berval **bv, **p;
     char *val;
-    bool ret = false;
-    bool foundbang = false;
+    int matched = UNSPEC;
     debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
 
     if (!entry)
-       debug_return_bool(ret);
+       debug_return_bool(false);
 
     /* get the values from the entry */
     bv = ldap_get_values_len(ld, entry, "sudoHost");
     if (bv == NULL)
-       debug_return_bool(ret);
+       debug_return_bool(false);
 
     /* walk through values */
-    for (p = bv; *p != NULL && !foundbang; p++) {
+    for (p = bv; *p != NULL && matched != false; p++) {
+       bool foundbang = false;
+
        val = (*p)->bv_val;
 
        if (*val == '!') {
@@ -747,14 +748,17 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
        if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
            netgr_matches(val, user_runhost, user_srunhost,
            def_netgroup_tuple ? pw->pw_name : NULL) ||
-           hostname_matches(user_srunhost, user_runhost, val))
-           ret = !foundbang;
-       DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+           hostname_matches(user_srunhost, user_runhost, val)) {
+
+           matched = foundbang ? false : true;
+       }
+       DPRINTF2("ldap sudoHost '%s' ... %s",
+           val, matched == true ? "MATCH!" : "not");
     }
 
     ldap_value_free_len(bv);   /* cleanup */
 
-    debug_return_bool(ret);
+    debug_return_bool(matched == true);
 }
 
 static int

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 8ef4c9d41cb232fe5cf57b34fc9040780ed68b8f..f088b18bb68c55b28008a71c05a32b13bb4ee254 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -741,13 +741,12 @@ static bool
 sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
     char **val_array, *val;
-    bool ret = false;
-    bool foundbang = false;
+    int matched = UNSPEC;
     int i;
     debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
 
     if (rule == NULL)
-       debug_return_bool(ret);
+       debug_return_bool(false);
 
     /* get the values from the rule */
     switch (handle->fn_get_values(rule, "sudoHost", &val_array)) {
@@ -758,11 +757,13 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
        debug_return_bool(false);
     default:
        sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
-       debug_return_bool(ret);
+       debug_return_bool(false);
     }
 
     /* walk through values */
-    for (i = 0; val_array[i] != NULL && !foundbang; ++i) {
+    for (i = 0; val_array[i] != NULL && matched != false; ++i) {
+       bool foundbang = false;
+
        val = val_array[i];
        sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
 
@@ -775,16 +776,18 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
        if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
            netgr_matches(val, handle->host, handle->shost,
            def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
-           hostname_matches(handle->shost, handle->host, val))
-           ret = !foundbang;
+           hostname_matches(handle->shost, handle->host, val)) {
 
-       sudo_debug_printf(SUDO_DEBUG_INFO,
-           "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+           matched = foundbang ? false : true;
+       }
+
+       sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
+           val, matched == true ? "MATCH!" : "not");
     }
 
     handle->fn_free_values(val_array);
 
-    debug_return_bool(ret);
+    debug_return_bool(matched == true);
 }
 
 /*